Tuning fraud filters for peptide stores
- Default gateway fraud rules are tuned for low-risk retail and will either bleed chargebacks or block good peptide orders.
- Start with AVS + CVV hard rules, layer velocity caps, then add 3DS selectively on high-ticket and repeat-decline orders.
- Measure every rule against both chargeback ratio and false-decline rate before you make it permanent.
On this page
A peptide operator we talked to last quarter had a clean offer, decent margins, and a chargeback ratio creeping toward 1.1%. His gateway fraud rules were stock — exactly what the integration wizard set on day one. AVS was set to "advisory only," CVV mismatches were allowed through, and there was no velocity cap at all. One stolen-card ring found his checkout, ran 40 orders in an afternoon, and three weeks later he was staring at a reserve increase and a warning letter. None of it was necessary. The rules to stop it were already in his gateway. Nobody had turned them on.
This is the most common avoidable problem we see on peptide books. Fraud filters are free, they ship with every gateway, and almost nobody tunes them for the vertical. Here is how to do it without strangling your conversion rate.
Why peptide stores need custom filter tuning
Default fraud rules assume a low-risk merchant: low average ticket, mainstream product, customers who shop from their home billing address. Peptide checkout breaks all three assumptions. Average tickets run higher. Customers buy from work, from a VPN, from a shipping address that is not their billing address. And peptide stores attract more card-testing traffic because the category is known to run permissive default settings.
So you get punished twice. The stock rules let real fraud through because they are set to "advisory." And when you panic and tighten everything, the same rules block legitimate repeat buyers who happen to use a forwarding address. The goal is a middle path: hard rules where fraud signal is unambiguous, soft rules where it is noisy, and 3DS where the ticket justifies the friction.
Before you touch anything, pull 90 days of orders and tag every chargeback by reason code. If most of your disputes are genuine "I never authorized this" fraud, filters help a lot. If most are friendly fraud ("I never received it" from someone who did), filters help less and your refund and fulfillment policy matters more. Know which problem you actually have first.
Layer one: AVS and CVV
Address Verification (AVS) and CVV checks are the cheapest fraud reduction you own. They run on the issuer side, cost nothing extra, and catch a meaningful slice of stolen-card attempts.
For a peptide store, set CVV to a hard decline on mismatch. There is almost no legitimate reason a real cardholder enters the wrong CVV three times. AVS is noisier because forwarding addresses and gift orders produce legitimate mismatches, so set AVS to decline on a full no-match (N response) but allow a ZIP-only match (the common Z and A partial responses). That single configuration stops the lazy card-testers without blocking the customer shipping to a reshipper.
| Signal | Recommended action | Why | False-decline risk |
|---|---|---|---|
| CVV mismatch | Hard decline | Almost never legitimate | Very low |
| AVS full no-match (N) | Decline or review | Strong fraud signal | Low |
| AVS ZIP-only match | Allow | Common with forwarders | Medium if blocked |
| AVS unavailable (intl) | Route to 3DS | No data, not proof of fraud | High if blocked |
Layer two: velocity caps
Velocity checks limit how many attempts a single fingerprint can make in a window. This is the single rule that would have stopped the card-testing afternoon described up top. A velocity check counts attempts by card number, by IP, by device, and by email, and blocks once a threshold trips.
Sensible starting caps for a peptide store:
- Max 3 card numbers per IP per hour.
- Max 4 declined attempts per card per day, then a 24-hour lockout.
- Max 2 distinct billing names per device in a session.
- Max 5 orders per email per 24 hours (raise for genuine bulk buyers you know).
Velocity rules almost never hurt conversion because real customers do not retry a dozen cards. Card testers do exactly that. Turn velocity on first, watch for a week, and only loosen if you see legitimate buyers tripping a cap.
Layer three: selective 3D Secure
3D Secure (3DS) adds an issuer authentication step and shifts most fraud liability to the issuer on authenticated transactions. The cost is friction — a small share of customers abandon at the bank challenge screen. So you do not put 3DS on every order. You put it where the risk justifies the friction.
Trigger 3DS on: orders above a ticket threshold you set (commonly two to three times your average order value), any order where AVS came back unavailable, any first-time buyer using a mismatched billing and shipping country, and any card that has already tripped a velocity decline today. Let your clean repeat buyers through frictionless. This selective approach typically cuts fraud chargebacks hard while costing you only a point or two of conversion on the flagged slice, not your whole book.
Layer four: blocklists and allowlists
Every gateway lets you maintain manual lists. Use them. When you win or lose a chargeback, add the card fingerprint and email to a blocklist. When a high-value repeat customer trips a rule by accident, add them to an allowlist so they sail through next time. These lists are tedious to maintain and worth every minute — they are the only fraud control that learns from your specific buyers.
One caution: do not blocklist by IP range alone. Peptide buyers use VPNs heavily for privacy reasons that have nothing to do with fraud. Blocking a VPN exit node blocks dozens of legitimate customers along with one bad actor.
Measuring whether your tuning worked
Two numbers tell you if a rule is helping: your chargeback ratio and your false-decline rate. A rule that cuts chargebacks but quietly declines good orders is not a win — you just moved the loss from disputes to abandoned carts where you cannot see it.
Track both before and after every change. Keep your ratio comfortably under the card-network thresholds — Visa flags excessive at 0.9% and Mastercard at 1.0% — with real headroom, not right at the line. And watch your decline rate week over week. If declines jump after a tightening, you over-corrected. Loosen the noisiest rule, usually AVS, and re-measure.
Where orchestration changes the math
If you run a single peptide brand, all of this lives inside one gateway and you tune it in one dashboard. If you run several brands, fraud tuning gets harder fast: each gateway has its own rule engine, its own blocklist, and its own thresholds, and a card-tester banned on brand A walks straight into brand B. A parent merchant account with shared fraud rules across brands solves the cross-brand gap — one blocklist, one velocity engine, one place to tune. That is the model we orchestrate for multi-brand peptide operators. We do not process the payment ourselves; we sit on top of your acquirer and gateway so the fraud controls work consistently across the whole portfolio. For a single brand, tuning your existing gateway is the better call and you do not need us. See how the layers fit in how it works.
If you are running three or more peptide brands and your fraud rules are fragmented across gateways, an honest fit check takes about twelve questions and gets you a straight answer on whether consolidating fraud controls under one parent account is worth it. If you are single-brand, we will tell you to keep tuning what you have.